Risks

If a risk assessment is not in place when the regulator scopes and plans an examination, the regulator is required to notify senior management and prepare a risk assessment him or herself. If this happens:

1. The examiner immediately assumes that risk management is not a priority at the bank, and that the compliance program will be lacking.
2. The bank cedes the opportunity to conduct and draft a risk assessment that aligns with its particular risk preferences, management style and structure, and culture.
3. The examiner is likely to expect that the compliance program is not based on a solid understanding of the true risk environment and proceed accordingly.
4. Supervisory confidence in executive and senior management governance is diminished.

If risk assessments are inadequate or outdated, financial institutions face another set of risks:

1. Regulatory scrutiny of board and senior management compliance processes will be intensified.
2. The compliance programs, which are driven by the risk assessments, are certain also to be inadequate or outdated. This will trigger an intensified risk-based examination process that will focus on the efficacy of internal controls of the highest risk exposure areas.
3. The dedication and competency of the board and senior management regarding compliance will come into question. This can raise the specter of willful neglect that can lead to civil and criminal charges.
4. The qualifications, independence, authority of the BSA officer as well as resources allocated to the function may come under scrutiny and reflect poorly on the board as well as the individual. 

Depending on the severity of the findings, the exam will likely result in matters requiring attention (MRAs) or matters requiring immediate attention (MRIAs). If management's response to these matters is not timely or adequate, the bank -- and possibly some of its officers -- may be subject to enforcement penalties. Ignored MRIAs could lead to cease and desist orders and crushing enforcement penalties that, in extreme cases, can cause the closing or sale of the bank.      

Opportunities

The Risk-Return principal, fundamental to financial services, also has relevance in the AML and OFAC compliance arena. Categories that present the highest risk AML and OFAC exposures typically are also the most profitable for the bank. The key is to find the balance where profitability and competitiveness is optimized through imposition of internal controls that monitor and manage the risk in a cost-efficient manner.

This balance is not easy to achieve nor to maintain.  The risk assessment, however, is an excellent means of capturing in detail the enterprise risk construct and the attendant control structure -- the bank's "risk profile".

The risk assessment serves two primary functions:

• It satisfies BSA requirements that a bank conduct a periodic enterprise risk assessment, and, based on that assessment, modify and/or expand its written compliance program. The risk assessment is a primary tool used by regulators to scope and plan examinations of the adequacy of the bank's compliance program.
• The risk assessment is a valuable management tool that allows strategic alignment of existing  risk with the bank's unique risk appetite. By measuring the risk profile against the bank's risk appetite, an optimum construct of products, services, customers, entities, and geographic locations -- with their attendant control processes -- can be designed to achieve a salutary risk-reward balance.

A strong risk assessment is indicative of management dedicated to good governance and compliance, and that all reasonable measures to prevent infractions have been taken. It is understood that under the best of circumstances violations can occur and that evidence of all reasonable measures being taken constitutes compliance.